'Cyber War' by Richard Clarke

April 20, 2010

Page 3 of 3

A nation that has invented the new technology, and the tactics
to use it, may not be the victor, if its own military is mired in the
ways of the past, overcome by inertia, overconfident in the weapons
they have grown to love and consider supreme. The originator of the
new offensive weaponry may be the loser unless it has also figured
out how to defend against the weapon it has shown to the rest of the
world. Thus, even though the American colonel Billy Mitchell was
the first to understand the ability of small aircraft to sink mighty
battleships, it was the Japanese Imperial Navy that acted on that
understanding, and came close to defeating the Americans in the
Pacific in World War II. It was Britain that first developed the tank,
and a French colonel, Charles de Gaulle, who devised the tactics of
rapid attack with massed tanks, supported by air and artillery. Yet
it was a recently defeated Germany that perfected the tank in the
1930s and first employed de Gaulle's tactics, which later became
known as blitzkrieg. (As recently as 1990, and again in 2003, the U.S. military went to war with an updated version of the seventyyear-
old blitzkrieg tactic: fast movement of heavy tank units, supported
by aircraft.)
Warmed by the camaraderie of my fellow ex-students, and by
the martinis, I left the brownstone and wandered out into that cold
night, pondering this irony of history, and making a commitment to
myself, and to Bill, that I would try to stimulate open, public analysis
and discussion of cyber-war strategy before we stumbled into such
a conflict. This book is the down payment on that commitment. I
knew that I needed a younger partner to join me in trying to understand
the military and technological implications of cyber war
well enough to produce this book. Different generations think of
cyberspace differently. For me, looking at my sixtieth birthday in
2010, cyberspace is something that I saw gradually creep up around
me. It happened after I had already had a career dealing with nuclear
weapons, in a bipolar world. I became the first Special Advisor to the
President for Cyber Security in 2001, but my views of cyber war are
colored by my background in nuclear strategy and espionage.
Rob Knake was thirty when he and I wrote this book. For his
generation, the Internet and cyberspace are as natural as air and water.
Rob's career has focused on homeland security and the transnational
threats of the twenty-first century. We have worked together
at Harvard's Kennedy School of Government, at Good Harbor Consulting,
and on the Obama for America campaign. In 2009, Rob
won the prestigious International Affairs Fellowship at the Council
on Foreign Relations with an appointment to study cyber war. We
decided to use the first-person singular in the text because many
times I will be discussing my personal experiences with government,
with the information-technology industry, and with Washington's
clans, but the research, writing, and concept development were a
joint enterprise. We have wandered around Washington and other
parts of this country together in search of answers to the many questions surrounding cyber war. Many people
have helped us in that
search, some of them wishing to remain unnamed in this book because
of their past or present associations. We had spent long hours
discussing, debating, and arguing until we found a synthesis of our
views. Rob and I both agree that cyber war is not some victimless,
clean, new kind of war that we should embrace. Nor is it some kind
of secret weapon that we need to keep hidden from the daylight and
from the public. For it is the public, the civilian population of the
United States and the publicly owned corporations that run our key
national systems, that are likely to suffer in a cyber war.

While it may appear to give America some sort of advantage, in
fact cyber war places this country at greater jeopardy than it does
any other nation. Nor is this new kind of war a game or a figment
of our imaginations. Far from being an alternative to conventional
war, cyber war may actually increase the likelihood of the more traditional
combat with explosives, bullets, and missiles. If we could
put this genie back in the bottle, we should, but we can't. Therefore,
we need to embark on a complex series of tasks: to understand what
cyber war is, to learn how and why it works, to analyze its risks, to
prepare for it, and to think about how to control it.

This book is an attempt to begin to do some of that. It is not
a technical book, not meant to be an electrical engineer's guide to
the details of cyber weapons. Nor is it designed to be a Washington
wonk's acronym-filled, jargon-encrusted political or legal exegesis.
Finally, it is also definitely not a military document and not written
to be immediately translatable into Pentagonese. Therefore,
some experts in each of those fields may think the book simplistic
in places where it discusses things they understand and opaque in
parts that stretch beyond their expertise. Overall, we have tried to
strike a balance and to write in an informal style that will be both
clear and occasionally entertaining. Lest you take too much comfort
in those assurances, however, it is necessary in a book on this subject to discuss the technology, the ways of Washington, as well as some
military and intelligence themes. Likewise, it is impossible to avoid
entirely the use of acronyms and jargon, and therefore we include a
glossary (starting on page 281).

I have been taught by senior national security officials for decades
never to bring them a problem without also suggesting a solution.
This book certainly reveals some problems, but it also discusses potential
solutions. Putting those or other defenses in place will take
time, and until they are a reality, this nation and others are running
some new and serious risks to peace, to international stability, to internal
order, and to our national and individual economic well-being.

The authors wish to thank the many people
who helped us with
this book, most important the experts in and out of governments
who helped us on condition that they go unnamed. Pieter Zatko,
John Mallery, Chris Jordan, Ed Amoroso, Sami Saydjari, and Barnaby
Page helped us understand some of the more technical aspects
of cyber security. Paul Kurtz served as a constant sounding board
and helped shape our thinking in innumerable ways. Ken Minihan,
Mike McConnell, and Rich Wilhelm gave us added insight from
their decades in government and the private sector, Alan Paller,
Greg Rattray, and Jim Lewis gave their insights and latest thinking
on this complex topic. We thank Janet Napolitano for taking time
out of her busy schedule to meet with us and for being willing to do
so on the record. We also thank Rand Beers for his wisdom. Will
Howerton helped in a major way to get this book across the finish
line. He possesses a keen editorial eye and a gift for research. Will
Bardenwerper also provided editorial assistance.
Bev Roundtree, as she has been on so many projects over the
decades, was the sine qua non.

Chapter 1: Trial Runs

A quarter-moon reflected on the slowly flowing Euphrates, a river
along which nations have warred for five thousand years. It was
just after midnight, September 6, 2007, and a new kind of attack
was about to happen along the Euphrates, one that had begun in
cyberspace. On the east side of the river, seventy-five miles south into
Syria from the Turkish border, up a dry wadi from the riverbank, a
few low lights cast shadows on the wadi's sandy walls. The shadows
were from a large building under construction. Many North Korean
workers had left the construction site six hours earlier, queuing in
orderly lines to load onto buses for the drive to their nearby dormitory.
For a construction site, the area was unusually dark and unprotected,
almost as if the builder wanted to avoid attracting attention.

Without warning, what seemed like small stars burst above the site, illuminating the area with a blue-white clarity brighter than
daylight. In less than a minute, although it seemed longer to the
few Syrians and Koreans still on the site, there was a blinding flash,
then a concussive sound wave, and then falling pieces of debris. If
their hearing had not been temporarily destroyed by the explosions,
those on the ground nearby would then have heard a longer acoustic
wash of military jet engines blanketing the area. Had they been able
to look beyond the flames that were now sweeping the construction
site, or above the illuminating flares that were still floating down
on small parachutes, the Syrians and Koreans might have seen F-15
Eagles and F-16 Falcons banking north, back toward Turkey. Perhaps
they would even have made out muted blue-and-white Star of
David emblems on the wings of the Israeli Air Force strike formation
as it headed home, unscathed, leaving years of secret work near
the wadi totally destroyed.

Almost as unusual as the raid itself was the political silence that
followed. The public affairs offices of the Israeli government said
nothing. Even more telling, Syria, which had been bombed, was
silent. Slowly, the story started to emerge in American and British
media. Israel had bombed a complex in eastern Syria, a facility being
built by North Koreans. The facility was related to weapons of mass
destruction, the news accounts reported from unnamed sources. Israeli
press censors allowed their nation's newspapers to quote American
media accounts, but prohibited them from doing any reporting
of their own. It was, they said, a national security matter. Prompted
by the media accounts, the Syrian government belatedly admitted
there had been an attack on their territory. Then they protested it,
somewhat meekly. Syrian President Assad asserted that what had
been destroyed was "an empty building." Curiously, only North Korea
joined Damascus in expressing outrage at this surprise attack.

Media accounts differed slightly as to what had happened and
why, but most quoted Israeli government sources as saying that the facility had been a North Korean–designed nuclear weapons plant.
If that was true, North Korea had violated an agreement with the
United States and other major powers that it would stop selling nuclear
weapons know-how. Worse, it meant that Syria, a nation on
Israel's border, a nation that had been negotiating with Israel through
the Turks, had actually been trying secretly to acquire nuclear weapons,
something that even Saddam Hussein had stopped doing years
before the U.S. invasion of Iraq.

Soon, however, self-anointed experts were casting doubt on the
"Syria was making a nuclear bomb" story.

Satellite pictures, taken by reconnaissance satellite, were revealed
by Western media. Experts noted that the site had little security
around it before the bombing. Some contended that the building
was not tall enough to house a North Korean nuclear reactor. Others
pointed to the lack of any other nuclear infrastructure in Syria.

They offered alternative theories. Maybe the building was related to
Syria's missile program. Maybe Israel had just gotten it wrong and
the building was relatively innocent, like Saddam Hussein's alleged
"baby milk factory" of 1990 or Sudan's supposed aspirin plant of
1998, both destroyed in U.S. strikes. Or maybe, said some commentators,
Syria was not the real target. Maybe Israel was sending a message
to Iran, a message that the Jewish state could still successfully
carry out surprise air strikes, a message that a similar strike could
occur on Iranian nuclear facilities unless Tehran stopped its nuclear
development program.

Media reports quoting unnamed sources claimed various degrees
of American involvement in the raid: the Americans had discovered
the site on satellite photography, or the Americans had overlooked
the site and the Israelis had found it on satellite images given to
them routinely by the U.S. intelligence community; the Americans
had helped plan the bombing, perhaps persuading the Turkish military
to look the other way as the Israeli attack formation sailed over Turkey to surprise Syria by attacking from the north. Americans—
or were they Israelis?—had perhaps snuck into the construction
site before the bombing to confirm the North Korean presence,
and maybe verify the nuclear nature of the site. President George
W. Bush, uncharacteristically taciturn, flatly refused to answer a
reporter's question about the Israeli attack.

The one thing that most analysts agreed upon was that something
strange had happened. In April 2008, the CIA took the unusual
step of producing and publicly releasing a video showing clandestine
imagery from inside the facility before it was bombed. The film left
little doubt that the site had been a North Korean–designed nuclear
facility. The story soon faded. Scant attention was paid when, seven
months later, the UN's International Atomic Energy Agency (IAEA)
issued its report. It had sent inspectors to the site. What the inspectors
found was not a bombed-out ruin, nor did they come upon a
beehive of renewed construction activity. Instead, the international
experts were taken to a site that had been neatly plowed and raked,
a site showing no signs of debris or construction materials. It looked
like an unimproved home lot for sale in some desert community
outside of Phoenix, perfectly anodyne. The disappointed inspectors
took pictures. They filled plastic ziplock baggies with soil samples
and then they left the banks of the Euphrates and flew back to their
headquarters on an island in the Danube near Vienna. There they
ran tests in their laboratories.

The IAEA announced, again to little attention, that the soil samples
had contained unusual, "man-made," radioactive materials. For
those few who had been following the mystery of Syria's Euphrates
enigma, that was the end of the story, vindicating Israel's highly
regarded intelligence service.

Despite how unlikely it seemed, Syria
in fact had been secretly fooling around with nuclear weapons, and
the bizarre regime in North Korea had been helping. It was time to
reassess the intentions of both Damascus and Pyongyang.

Behind all of this mystery, however, was another intrigue. Syria
had spent billions of dollars on air defense systems. That September
night, Syrian military personnel were closely watching their radars.
Unexpectedly, Israel had put its troops on the Golan Heights on
full alert earlier in the day. From their emplacements on the occupied
Syrian territory, Israel's Golani Brigade could literally look
into downtown Damascus through their long-range lenses. Syrian
forces were expecting trouble. Yet nothing unusual appeared on
their screens. The skies over Syria seemed safe and largely empty
as midnight rolled around. In fact, however, formations of Eagles
and Falcons had penetrated Syrian airspace from Turkey. Those aircraft,
designed and first built in the 1970s, were far from stealthy.
Their steel and titanium airframes, their sharp edges and corners,
the bombs and missiles hanging on their wings, should have lit up
the Syrian radars like the Christmas tree illuminating New York's
Rockefeller Plaza in December. But they didn't.

What the Syrians slowly, reluctantly, and painfully concluded the
next morning was that Israel had "owned" Damascus's pricey air defense
network the night before. What appeared on the radar screens
was what the Israeli Air Force had put there, an image of nothing.
The view seen by the Syrians bore no relation to the reality that their
eastern skies had become an Israeli Air Force bombing range. Syrian
air defense missiles could not have been fired because there had
been no targets in the system for them to seek out. Syrian air defense
fighters could not have scrambled, had they been fool enough to
do so again against the Israelis, because their Russian-built systems
required them to be vectored toward the target aircraft by groundbased
controllers. The Syrian ground-based controllers had seen no
targets.

By that afternoon, the phones were ringing in the Russian Defense
Ministry off Red Square. How could the Russian air defense
system have been blinded? Syria wanted to know. Moscow promised to send experts and technicians right away. Maybe there had been an
implementation problem, maybe a user error, but it would be fixed
immediately. The Russian military-industrial complex did not need
that kind of bad publicity about its products. After all, Iran was
about to buy a modern air defense radar and missile system from
Moscow. In both Tehran and Damascus, air defense commanders
were in shock.

Cyber warriors around the world, however, were not surprised.
This was how war would be fought in the information age, this was
Cyber War. When the term "cyber war" is used in this book, it refers
to actions by a nation-state to penetrate another nation's computers
or networks for the purposes of causing damage or disruption.
When the Israelis attacked Syria, they used light and electric pulses,
not to cut like a laser or stun like a taser, but to transmit 1's and 0's
to control what the Syrian air defense radars saw. Instead of blowing
up air defense radars and giving up the element of surprise before
hitting the main targets, in the age of cyber war, the Israelis ensured
that the enemy could not even raise its defenses.

The Israelis had planned and executed their cyber assault flawlessly.
Just how they did it is a matter of some conjecture.

There are at least three possibilities for how they "owned" the
Syrians. First, there is the possibility suggested by some media reports
that the Israeli attack was preceded by a stealthy unmanned
aerial vehicle (UAV) that intentionally flew into a Syrian air defense
radar's beam. Radar still works essentially the same way it began
seventy years ago in the Battle of Britain. A radar system sends out
a directional radio beam. If the beam hits anything, it bounces back
to a receiver. The processor then computes where the object was that
the radio beam hit, at what altitude it was flying, at what speed it
was moving, and maybe even how big an object was up there. The
key fact here is that the radar is allowing an electronic beam to come
from the air, back into the ground-based computer system.

Radar is inherently an open computer door, open so that it can
receive back the electronic searchers it has sent out to look for things
in the sky. A stealthy Israeli UAV might not have been seen by the
Syrian air defense because the drone would have been coated with
material that absorbs or deflects a radar beam. The UAV might,
however, have been able to detect the radar beam coming up from
the ground toward it and used that very same radio frequency to
transmit computer packets back down into the radar's computer
and from there into the Syrian air defense network. Those packets
made the system malfunction, but they also told it not to act there
was anything wrong with it. They may have just replayed a do-loop
of the sky as it was before the attack. Thus, while the radar beam
might later have bounced off the attacking Eagles and Falcons, the
return signal did not register on the Syrian air defense computers.
The sky would look just like it had when it was empty, even though
it was, in actuality, filled with Israeli fighters. U.S. media reports
indicate that the United States has a similar cyber attack system,
code-named Senior Suter.

Second, there is the possibility that the Russian computer code
controlling the Syrian air defense network had been compromised
by Israeli agents. At some point, perhaps in the Russian computer
lab or in a Syrian military facility, someone working for Israel or
one of its allies may have slipped a "trapdoor" into the millions of
lines of computer code that run the air defense program. A "trapdoor"
(or "Trojan Horse") is simply a handful of lines of computer
code that look just like all the other gibberish that comprise the instructions
for an operating system or application. (Tests run by the
National Security Agency determined that even the best-trained
experts could not, by visually looking through the millions of lines
of symbols, find the "errors" that had been introduced into a piece
of software.)

The "trapdoor" could be instructions on how to respond to certain circumstances. For example, if the radar processor discovers a particular
electronic signal, it would respond by showing no targets in
the sky for a designated period of time, say, the next three hours. All
the Israeli UAV would have to do is send down that small electronic
signal. The "trapdoor" might be a secret electronic access point that
would allow someone tapping into the air defense network to get
past the intrusion-detection system and firewall, through the encryption,
and take control of the network with full administrator's
rights and privileges.

The third possibility is that an Israeli agent would find any fiberoptic
cable of the air defense network somewhere in Syria and splice
into the line (harder than it sounds, but doable). Once on line, the
Israeli agent would type in a command that would cause the "trapdoor"
to open for him. While it is risky for an Israeli agent to be
wandering around Syria cutting into fiber-optic cables, it is far from
impossible. Reports have suggested for decades that Israel places its
spies behind Syrian borders. The fiber-optic cables for the Syrian
national air defense network run all over the country, not just inside
military installations. The advantage of an agent in place hacking
into the network is that it does not cause the operation to rely upon
the success of a "takeover packet" entering the network from a UAV
flying overhead. Indeed, an agent in place could theoretically set up
a link from his location back to Israel's Air Force command post.
Using low-probability-of-intercept (LPI) communications methods,
an Israeli agent may be able to establish "cove comms" (covert communications),
even in downtown Damascus, beaming up to a satellite
with little risk of anyone in Syria noticing.

Whatever method the Israelis used to trick the Syrian air defense
network, it was probably taken from a playbook they borrowed from
the U.S. Our Israeli friends have learned a thing or two from the programs
we have been working on for more than two decades. In 1990,
as the United States was preparing to go to war with Iraq for the first time, early U.S. cyber warriors got together with Special Operations
commandos to figure out how they could take out the extensive Iraqi
air defense radar and missile network just before the initial waves
of U.S. and allied aircraft came screeching in toward Baghdad. As
the hero of Desert Storm, four-star General Norm Schwarzkopf, explained
to me at the time, "these snake-eaters had some crazy idea"
to sneak into Iraq before the first shots were fired and seize control of
a radar base in the south of the country. They planned to bring with
them some hackers, probably from the U.S. Air Force, who would
hook up to the Iraqi network from inside the base and then send out
a program that would have caused all the computers on the network
all over the country to crash and be unable to reboot.

-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.
-- This embed didnt make it to copy for story id = 10414617.